SENTRY-432: Synchronization of HDFS permissions to Sentry permissions (Arun Suresh via Lenni Kuff)
This change adds support for synchronizing HDFS permissions with permissions stored in Sentry. This makes it easy to share data across components (Hive/Impala, MR, Spark, etc) while managing all privileges in a centralized location - Sentry. This is done using new plugins to the HMS, HDFS, and Sentry. The HMS plugin pushes table/partition path information to the Sentry Service, the Sentry Service forwards the path information and all privilege updates, to the HDFS NameNode plugin, which caches this information and updates the ACLs accordingly. The mapping of Sentry privileges to HDFS privileges is: ALL -> Read/Write access to data files SELECT -> Read access to data files INSERT -> Write access to data files Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/2e509e4b Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/2e509e4b Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/2e509e4b Branch: refs/heads/master Commit: 2e509e4bc4f06e1c207d5702aad55b290ef390a4 Parents: 49e6086 Author: Lenni Kuff <[email protected]> Authored: Wed Nov 12 22:58:53 2014 -0800 Committer: Lenni Kuff <[email protected]> Committed: Wed Nov 12 23:32:32 2014 -0800 ---------------------------------------------------------------------- bin/sentry | 3 + pom.xml | 61 +- .../SentryHiveAuthorizationTaskFactoryImpl.java | 14 + .../sentry/binding/hive/conf/HiveAuthzConf.java | 4 +- .../SentryMetastorePostEventListener.java | 159 +- sentry-dist/pom.xml | 1 + sentry-dist/src/main/assembly/bin.xml | 24 +- sentry-hdfs/pom.xml | 38 + sentry-hdfs/sentry-hdfs-common/.gitignore | 18 + sentry-hdfs/sentry-hdfs-common/pom.xml | 148 + .../hdfs/service/thrift/SentryHDFSService.java | 3483 ++++++++++++++++++ .../service/thrift/TAuthzUpdateResponse.java | 603 +++ .../hdfs/service/thrift/TPathChanges.java | 765 ++++ .../sentry/hdfs/service/thrift/TPathEntry.java | 747 ++++ .../sentry/hdfs/service/thrift/TPathsDump.java | 549 +++ .../hdfs/service/thrift/TPathsUpdate.java | 748 ++++ .../hdfs/service/thrift/TPermissionsUpdate.java | 810 ++++ .../hdfs/service/thrift/TPrivilegeChanges.java | 713 ++++ .../hdfs/service/thrift/TRoleChanges.java | 691 ++++ .../java/org/apache/sentry/hdfs/AuthzPaths.java | 58 + .../apache/sentry/hdfs/AuthzPathsDumper.java | 28 + .../apache/sentry/hdfs/AuthzPermissions.java | 28 + .../java/org/apache/sentry/hdfs/HMSPaths.java | 510 +++ .../org/apache/sentry/hdfs/HMSPathsDumper.java | 126 + .../org/apache/sentry/hdfs/MetastoreClient.java | 38 + .../org/apache/sentry/hdfs/PathsUpdate.java | 88 + .../apache/sentry/hdfs/PermissionsUpdate.java | 94 + .../sentry/hdfs/SentryHDFSServiceClient.java | 229 ++ .../apache/sentry/hdfs/ServiceConstants.java | 70 + .../java/org/apache/sentry/hdfs/Updateable.java | 67 + .../sentry/hdfs/UpdateableAuthzPaths.java | 153 + .../main/resources/sentry_hdfs_service.thrift | 87 + .../org/apache/sentry/hdfs/TestHMSPaths.java | 357 ++ .../sentry/hdfs/TestHMSPathsFullDump.java | 112 + .../sentry/hdfs/TestUpdateableAuthzPaths.java | 156 + .../src/test/resources/hdfs-sentry.xml | 22 + sentry-hdfs/sentry-hdfs-dist/pom.xml | 79 + .../sentry-hdfs-namenode-plugin/.gitignore | 18 + sentry-hdfs/sentry-hdfs-namenode-plugin/pom.xml | 63 + .../hdfs/SentryAuthorizationConstants.java | 55 + .../sentry/hdfs/SentryAuthorizationInfo.java | 237 ++ .../hdfs/SentryAuthorizationProvider.java | 372 ++ .../apache/sentry/hdfs/SentryPermissions.java | 220 ++ .../org/apache/sentry/hdfs/SentryUpdater.java | 61 + .../sentry/hdfs/UpdateableAuthzPermissions.java | 230 ++ .../hdfs/MockSentryAuthorizationProvider.java | 26 + .../sentry/hdfs/SentryAuthorizationInfoX.java | 85 + .../hdfs/TestSentryAuthorizationProvider.java | 164 + .../src/test/resources/hdfs-sentry.xml | 33 + sentry-hdfs/sentry-hdfs-service/.gitignore | 18 + sentry-hdfs/sentry-hdfs-service/pom.xml | 104 + .../sentry/hdfs/ExtendedMetastoreClient.java | 108 + .../org/apache/sentry/hdfs/MetastorePlugin.java | 257 ++ .../sentry/hdfs/SentryHDFSServiceProcessor.java | 118 + .../hdfs/SentryHDFSServiceProcessorFactory.java | 108 + .../org/apache/sentry/hdfs/SentryPlugin.java | 247 ++ .../org/apache/sentry/hdfs/UpdateForwarder.java | 292 ++ .../sentry/hdfs/UpdateablePermissions.java | 62 + .../apache/sentry/hdfs/TestUpdateForwarder.java | 307 ++ sentry-provider/sentry-provider-db/pom.xml | 78 +- .../db/SentryMetastoreListenerPlugin.java | 48 + .../provider/db/SentryPolicyStorePlugin.java | 60 + .../provider/db/SimpleDBProviderBackend.java | 40 +- .../db/service/persistent/SentryStore.java | 81 +- .../thrift/SentryPolicyStoreProcessor.java | 72 +- .../sentry/service/thrift/SentryService.java | 1 + .../sentry/service/thrift/ServiceConstants.java | 7 + .../thrift/TestSentryPolicyStoreProcessor.java | 1 + .../thrift/TestSentryServerWithoutKerberos.java | 4 +- sentry-tests/sentry-tests-hive/pom.xml | 17 + .../tests/e2e/hdfs/TestHDFSIntegration.java | 787 ++++ .../sentry/tests/e2e/hive/StaticUserGroup.java | 2 + ...actMetastoreTestWithStaticConfiguration.java | 2 + .../e2e/metastore/TestMetastoreEndToEnd.java | 49 +- 74 files changed, 16202 insertions(+), 113 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/2e509e4b/bin/sentry ---------------------------------------------------------------------- diff --git a/bin/sentry b/bin/sentry index 0b98049..93809ea 100755 --- a/bin/sentry +++ b/bin/sentry @@ -72,6 +72,9 @@ then for f in ${SENTRY_HOME}/lib/server/*.jar; do HADOOP_CLASSPATH=${HADOOP_CLASSPATH}:${f} done + for f in ${SENTRY_HOME}/lib/plugins/*.jar; do + HADOOP_CLASSPATH=${HADOOP_CLASSPATH}:${f} + done exec $HADOOP jar ${SENTRY_HOME}/lib/${_CMD_JAR} org.apache.sentry.SentryMain ${args[@]} else exec ${SENTRY_HOME}/bin/config_tool ${args[@]} http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/2e509e4b/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 8c59ba9..b0cdd9a 100644 --- a/pom.xml +++ b/pom.xml @@ -68,7 +68,7 @@ limitations under the License. <derby.version>10.10.2.0</derby.version> <commons-cli.version>1.2</commons-cli.version> <hive.version>0.13.1-cdh5.3.0-SNAPSHOT</hive.version> - <hadoop.version>2.3.0-cdh5.1.0-SNAPSHOT</hadoop.version> + <hadoop.version>2.5.0-cdh5.2.0-SNAPSHOT</hadoop.version> <fest.reflect.version>1.4.1</fest.reflect.version> <guava.version>11.0.2</guava.version> <junit.version>4.9</junit.version> @@ -151,6 +151,12 @@ limitations under the License. </dependency> <dependency> <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-hdfs</artifactId> + <version>${hadoop.version}</version> + <type>test-jar</type> + </dependency> + <dependency> + <groupId>org.apache.hadoop</groupId> <artifactId>hadoop-minicluster</artifactId> <version>${hadoop.version}</version> </dependency> @@ -336,6 +342,26 @@ limitations under the License. </dependency> <dependency> <groupId>org.apache.sentry</groupId> + <artifactId>sentry-hdfs-common</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-hdfs-service</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-hdfs-namenode-plugin</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-hdfs-dist</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>org.apache.sentry</groupId> <artifactId>sentry-provider-cache</artifactId> <version>${project.version}</version> </dependency> @@ -403,6 +429,7 @@ limitations under the License. <module>sentry-provider</module> <module>sentry-policy</module> <module>sentry-tests</module> + <module>sentry-hdfs</module> <module>sentry-dist</module> </modules> @@ -427,8 +454,38 @@ limitations under the License. <downloadSources>true</downloadSources> <workspaceActiveCodeStyleProfileName>GoogleStyle</workspaceActiveCodeStyleProfileName> <workspaceCodeStylesURL>https://google-styleguide.googlecode.com/svn/trunk/eclipse-java-google-style.xml</workspaceCodeStylesURL> + <sourceIncludes><include>src/gen/thrift/gen-javabean/**</include></sourceIncludes> </configuration> </plugin> + +<!--- + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-shade-plugin</artifactId> + <version>2.1</version> + <executions> + <execution> + <phase>package</phase> + <goals> + <goal>shade</goal> + </goals> + <configuration> + <artifactSet> + <includes> + <include>org.apache.thrift:libthrift</include> + </includes> + </artifactSet> + <relocations> + <relocation> + <pattern>org.apache.thrift</pattern> + <shadedPattern>sentry.org.apache.thrift</shadedPattern> + </relocation> + </relocations> + </configuration> + </execution> + </executions> + </plugin> +--> </plugins> <pluginManagement> @@ -515,10 +572,12 @@ limitations under the License. <exclude>**/.metadata/</exclude> <!-- Maven working directory --> <exclude>**/target/</exclude> + <exclude>**/assembly/</exclude> <!-- Pre commit testing generated files --> <exclude>maven-repo/</exclude> <exclude>test-output/</exclude> <!-- Derby files which are created after test run --> + <exclude>**/dependency-reduced-pom.xml</exclude> <exclude>**/derby.log</exclude> <exclude>**/service.properties</exclude> <exclude>**/*.lck</exclude> http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/2e509e4b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java index f38ee91..39a22c6 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java @@ -50,11 +50,14 @@ import org.apache.hadoop.hive.ql.security.authorization.Privilege; import org.apache.hadoop.hive.ql.security.authorization.PrivilegeRegistry; import org.apache.hadoop.hive.ql.session.SessionState; import org.apache.sentry.core.model.db.AccessConstants; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import com.google.common.base.Preconditions; public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorizationTaskFactory { + private static final Logger LOG = LoggerFactory.getLogger(SentryHiveAuthorizationTaskFactoryImpl.class); public SentryHiveAuthorizationTaskFactoryImpl(HiveConf conf, Hive db) { @@ -238,6 +241,7 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization HashSet<ReadEntity> inputs, HashSet<WriteEntity> outputs) throws SemanticException { List<PrincipalDesc> principalDesc = analyzePrincipalListDef( (ASTNode) ast.getChild(0)); + List<String> roles = new ArrayList<String>(); for (int i = 1; i < ast.getChildCount(); i++) { roles.add(BaseSemanticAnalyzer.unescapeIdentifier(ast.getChild(i).getText())); @@ -314,18 +318,28 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization ASTNode child = (ASTNode) node.getChild(i); PrincipalType type = null; switch (child.getType()) { + case 880: + type = PrincipalType.USER; + break; case HiveParser.TOK_USER: type = PrincipalType.USER; break; + case 685: + type = PrincipalType.GROUP; + break; case HiveParser.TOK_GROUP: type = PrincipalType.GROUP; break; + case 782: + type = PrincipalType.ROLE; + break; case HiveParser.TOK_ROLE: type = PrincipalType.ROLE; break; } String principalName = BaseSemanticAnalyzer.unescapeIdentifier(child.getChild(0).getText()); PrincipalDesc principalDesc = new PrincipalDesc(principalName, type); + LOG.debug("## Principal : [ " + principalName + ", " + type + "]"); principalList.add(principalDesc); } return principalList; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/2e509e4b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java index 4d2a625..93f19f3 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java @@ -18,7 +18,7 @@ package org.apache.sentry.binding.hive.conf; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hive.conf.HiveConf; -import org.mortbay.log.Log; + import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -203,7 +203,7 @@ public class HiveAuthzConf extends Configuration { if (retVal == null) { retVal = AuthzConfVars.getDefault(varName); } else { - Log.warn("Using the deprecated config setting " + currentToDeprecatedProps.get(varName).getVar() + + LOG.warn("Using the deprecated config setting " + currentToDeprecatedProps.get(varName).getVar() + " instead of " + varName); } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/2e509e4b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetastorePostEventListener.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetastorePostEventListener.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetastorePostEventListener.java index 38bf8b2..3760fe9 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetastorePostEventListener.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetastorePostEventListener.java @@ -25,10 +25,14 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.metastore.MetaStoreEventListener; import org.apache.hadoop.hive.metastore.api.MetaException; +import org.apache.hadoop.hive.metastore.api.Partition; +import org.apache.hadoop.hive.metastore.events.AddPartitionEvent; +import org.apache.hadoop.hive.metastore.events.AlterPartitionEvent; import org.apache.hadoop.hive.metastore.events.AlterTableEvent; import org.apache.hadoop.hive.metastore.events.CreateDatabaseEvent; import org.apache.hadoop.hive.metastore.events.CreateTableEvent; import org.apache.hadoop.hive.metastore.events.DropDatabaseEvent; +import org.apache.hadoop.hive.metastore.events.DropPartitionEvent; import org.apache.hadoop.hive.metastore.events.DropTableEvent; import org.apache.hadoop.security.UserGroupInformation; import org.apache.sentry.SentryUserException; @@ -38,24 +42,60 @@ import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.model.db.Database; import org.apache.sentry.core.model.db.Server; import org.apache.sentry.core.model.db.Table; +import org.apache.sentry.provider.db.SentryMetastoreListenerPlugin; import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient; import org.apache.sentry.service.thrift.SentryServiceClientFactory; +import org.apache.sentry.service.thrift.ServiceConstants.ConfUtilties; +import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; public class SentryMetastorePostEventListener extends MetaStoreEventListener { + + private static final Logger LOGGER = LoggerFactory.getLogger(SentryMetastoreListenerPlugin.class); private final SentryServiceClientFactory sentryClientFactory; private final HiveAuthzConf authzConf; private final Server server; + private List<SentryMetastoreListenerPlugin> sentryPlugins = new ArrayList<SentryMetastoreListenerPlugin>(); + public SentryMetastorePostEventListener(Configuration config) { super(config); sentryClientFactory = new SentryServiceClientFactory(); - authzConf = HiveAuthzConf.getAuthzConf(new HiveConf()); + authzConf = HiveAuthzConf.getAuthzConf((HiveConf)config); server = new Server(authzConf.get(AuthzConfVars.AUTHZ_SERVER_NAME.getVar())); + Iterable<String> pluginClasses = ConfUtilties.CLASS_SPLITTER + .split(config.get(ServerConfig.SENTRY_METASTORE_PLUGINS, + ServerConfig.SENTRY_METASTORE_PLUGINS_DEFAULT).trim()); + try { + for (String pluginClassStr : pluginClasses) { + Class<?> clazz = config.getClassByName(pluginClassStr); + if (!SentryMetastoreListenerPlugin.class.isAssignableFrom(clazz)) { + throw new IllegalArgumentException("Class [" + + pluginClassStr + "] is not a " + + SentryMetastoreListenerPlugin.class.getName()); + } + SentryMetastoreListenerPlugin plugin = (SentryMetastoreListenerPlugin) clazz + .getConstructor(Configuration.class).newInstance(config); + sentryPlugins.add(plugin); + } + } catch (Exception e) { + LOGGER.error("Could not initialize Plugin !!", e); + throw new RuntimeException(e); + } } @Override public void onCreateTable (CreateTableEvent tableEvent) throws MetaException { + if (tableEvent.getTable().getSd().getLocation() != null) { + String authzObj = tableEvent.getTable().getDbName() + "." + + tableEvent.getTable().getTableName(); + String path = tableEvent.getTable().getSd().getLocation(); + for (SentryMetastoreListenerPlugin plugin : sentryPlugins) { + plugin.addPath(authzObj, path); + } + } // drop the privileges on the given table, in case if anything was left // behind during the drop if (!syncWithPolicyStore(AuthzConfVars.AUTHZ_SYNC_CREATE_WITH_POLICY_STORE)) { @@ -71,6 +111,13 @@ public class SentryMetastorePostEventListener extends MetaStoreEventListener { @Override public void onDropTable(DropTableEvent tableEvent) throws MetaException { + if (tableEvent.getTable().getSd().getLocation() != null) { + String authzObj = tableEvent.getTable().getDbName() + "." + + tableEvent.getTable().getTableName(); + for (SentryMetastoreListenerPlugin plugin : sentryPlugins) { + plugin.removeAllPaths(authzObj, null); + } + } // drop the privileges on the given table if (!syncWithPolicyStore(AuthzConfVars.AUTHZ_SYNC_DROP_WITH_POLICY_STORE)) { return; @@ -86,6 +133,13 @@ public class SentryMetastorePostEventListener extends MetaStoreEventListener { @Override public void onCreateDatabase(CreateDatabaseEvent dbEvent) throws MetaException { + if (dbEvent.getDatabase().getLocationUri() != null) { + String authzObj = dbEvent.getDatabase().getName(); + String path = dbEvent.getDatabase().getLocationUri(); + for (SentryMetastoreListenerPlugin plugin : sentryPlugins) { + plugin.addPath(authzObj, path); + } + } // drop the privileges on the database, incase anything left behind during // last drop db if (!syncWithPolicyStore(AuthzConfVars.AUTHZ_SYNC_CREATE_WITH_POLICY_STORE)) { @@ -105,6 +159,12 @@ public class SentryMetastorePostEventListener extends MetaStoreEventListener { */ @Override public void onDropDatabase(DropDatabaseEvent dbEvent) throws MetaException { + String authzObj = dbEvent.getDatabase().getName(); + for (SentryMetastoreListenerPlugin plugin : sentryPlugins) { + List<String> tNames = dbEvent.getHandler().get_all_tables(authzObj); + plugin.removeAllPaths(authzObj, tNames); + } + dropSentryDbPrivileges(dbEvent.getDatabase().getName()); if (!syncWithPolicyStore(AuthzConfVars.AUTHZ_SYNC_DROP_WITH_POLICY_STORE)) { return; } @@ -121,9 +181,6 @@ public class SentryMetastorePostEventListener extends MetaStoreEventListener { @Override public void onAlterTable (AlterTableEvent tableEvent) throws MetaException { String oldTableName = null, newTableName = null; - if (!syncWithPolicyStore(AuthzConfVars.AUTHZ_SYNC_ALTER_WITH_POLICY_STORE)) { - return; - } // don't sync privileges if the operation has failed if (!tableEvent.getStatus()) { return; @@ -135,10 +192,63 @@ public class SentryMetastorePostEventListener extends MetaStoreEventListener { if (tableEvent.getNewTable() != null) { newTableName = tableEvent.getNewTable().getTableName(); } - if (!oldTableName.equalsIgnoreCase(newTableName)) { - renameSentryTablePrivilege(tableEvent.getOldTable().getDbName(), - oldTableName, tableEvent.getNewTable().getDbName(), newTableName); + renameSentryTablePrivilege(tableEvent.getOldTable().getDbName(), + oldTableName, tableEvent.getOldTable().getSd().getLocation(), + tableEvent.getNewTable().getDbName(), newTableName, + tableEvent.getNewTable().getSd().getLocation()); + } + + @Override + public void onAlterPartition(AlterPartitionEvent partitionEvent) + throws MetaException { + // don't sync privileges if the operation has failed + if (!partitionEvent.getStatus()) { + return; + } + String oldLoc = null, newLoc = null; + if (partitionEvent.getOldPartition() != null) { + oldLoc = partitionEvent.getOldPartition().getSd().getLocation(); + } + if (partitionEvent.getNewPartition() != null) { + newLoc = partitionEvent.getNewPartition().getSd().getLocation(); } + + if ((oldLoc != null) && (newLoc != null) && (!oldLoc.equals(newLoc))) { + String authzObj = + partitionEvent.getOldPartition().getDbName() + "." + + partitionEvent.getOldPartition().getTableName(); + for (SentryMetastoreListenerPlugin plugin : sentryPlugins) { + plugin.renameAuthzObject(authzObj, oldLoc, + authzObj, newLoc); + } + } + } + + @Override + public void onAddPartition(AddPartitionEvent partitionEvent) + throws MetaException { + for (Partition part : partitionEvent.getPartitions()) { + if ((part.getSd() != null) && (part.getSd().getLocation() != null)) { + String authzObj = part.getDbName() + "." + part.getTableName(); + String path = part.getSd().getLocation(); + for (SentryMetastoreListenerPlugin plugin : sentryPlugins) { + plugin.addPath(authzObj, path); + } + } + } + super.onAddPartition(partitionEvent); + } + + @Override + public void onDropPartition(DropPartitionEvent partitionEvent) + throws MetaException { + String authzObj = partitionEvent.getTable().getDbName() + "." + + partitionEvent.getTable().getTableName(); + String path = partitionEvent.getPartition().getSd().getLocation(); + for (SentryMetastoreListenerPlugin plugin : sentryPlugins) { + plugin.removePath(authzObj, path); + } + super.onDropPartition(partitionEvent); } private SentryPolicyServiceClient getSentryServiceClient() @@ -194,7 +304,7 @@ public class SentryMetastorePostEventListener extends MetaStoreEventListener { } private void renameSentryTablePrivilege(String oldDbName, String oldTabName, - String newDbName, String newTabName) + String oldPath, String newDbName, String newTabName, String newPath) throws MetaException { List<Authorizable> oldAuthorizableTable = new ArrayList<Authorizable>(); oldAuthorizableTable.add(server); @@ -206,18 +316,26 @@ public class SentryMetastorePostEventListener extends MetaStoreEventListener { newAuthorizableTable.add(new Database(newDbName)); newAuthorizableTable.add(new Table(newTabName)); - try { - String requestorUserName = UserGroupInformation.getCurrentUser() - .getShortUserName(); - SentryPolicyServiceClient sentryClient = getSentryServiceClient(); - sentryClient.renamePrivileges(requestorUserName, oldAuthorizableTable, newAuthorizableTable); - } catch (SentryUserException e) { - throw new MetaException( - "Failed to remove Sentry policies for rename table " + oldDbName - + "." + oldTabName + "to " + newDbName + "." + newTabName - + " Error: " + e.getMessage()); - } catch (IOException e) { - throw new MetaException("Failed to find local user " + e.getMessage()); + if (!oldTabName.equalsIgnoreCase(newTabName) + && syncWithPolicyStore(AuthzConfVars.AUTHZ_SYNC_ALTER_WITH_POLICY_STORE)) { + try { + String requestorUserName = UserGroupInformation.getCurrentUser() + .getShortUserName(); + SentryPolicyServiceClient sentryClient = getSentryServiceClient(); + sentryClient.renamePrivileges(requestorUserName, oldAuthorizableTable, newAuthorizableTable); + } catch (SentryUserException e) { + throw new MetaException( + "Failed to remove Sentry policies for rename table " + oldDbName + + "." + oldTabName + "to " + newDbName + "." + newTabName + + " Error: " + e.getMessage()); + } catch (IOException e) { + throw new MetaException("Failed to find local user " + e.getMessage()); + } + } + // The HDFS plugin needs to know if it's a path change (set location) + for (SentryMetastoreListenerPlugin plugin : sentryPlugins) { + plugin.renameAuthzObject(oldDbName + "." + oldTabName, oldPath, + newDbName + "." + newTabName, newPath); } } @@ -225,4 +343,5 @@ public class SentryMetastorePostEventListener extends MetaStoreEventListener { return "true" .equalsIgnoreCase((authzConf.get(syncConfVar.getVar(), "true"))); } + } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/2e509e4b/sentry-dist/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-dist/pom.xml b/sentry-dist/pom.xml index cd7126b..4eb1d9c 100644 --- a/sentry-dist/pom.xml +++ b/sentry-dist/pom.xml @@ -77,6 +77,7 @@ limitations under the License. </dependencies> <build> <plugins> + <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-assembly-plugin</artifactId> http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/2e509e4b/sentry-dist/src/main/assembly/bin.xml ---------------------------------------------------------------------- diff --git a/sentry-dist/src/main/assembly/bin.xml b/sentry-dist/src/main/assembly/bin.xml index 258e63c..f1d301b 100644 --- a/sentry-dist/src/main/assembly/bin.xml +++ b/sentry-dist/src/main/assembly/bin.xml @@ -46,6 +46,18 @@ <exclude>org.apache.derby:derby</exclude> </excludes> </dependencySet> +<!-- + <dependencySet> + <outputDirectory>lib/plugins</outputDirectory> + <unpack>true</unpack> + <useTransitiveDependencies>false</useTransitiveDependencies> + <includes> + <include>org.apache.sentry:sentry-provider-db</include> + <include>org.apache.sentry:sentry-hdfs-common</include> + <include>org.apache.sentry:sentry-hdfs-namenode-plugin</include> + </includes> + </dependencySet> +--> <dependencySet> <outputDirectory>lib/server</outputDirectory> <unpack>false</unpack> @@ -57,7 +69,6 @@ <include>com.jolbox:bonecp</include> <include>org.apache.hive:hive-beeline</include> <include>org.apache.derby:derby</include> - <include>org.apache.derby:derby</include> </includes> </dependencySet> </dependencySets> @@ -80,6 +91,7 @@ <exclude>sentry-provider/**</exclude> <exclude>sentry-policy/**</exclude> <exclude>sentry-tests/**</exclude> + <exclude>sentry-hdfs/**</exclude> </excludes> <includes> @@ -95,6 +107,16 @@ <outputDirectory>/</outputDirectory> </fileSet> <fileSet> + <directory>${project.parent.basedir}/sentry-hdfs/sentry-hdfs-dist/target</directory> + <includes> + <include>sentry-hdfs-*.jar</include> + </includes> + <excludes> + <exclude>sentry-hdfs-dist-*.jar</exclude> + </excludes> + <outputDirectory>lib/plugins</outputDirectory> + </fileSet> + <fileSet> <directory>${project.parent.basedir}/sentry-provider/sentry-provider-db/src/main/resources</directory> <includes> <include>**/*</include> http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/2e509e4b/sentry-hdfs/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-hdfs/pom.xml b/sentry-hdfs/pom.xml new file mode 100644 index 0000000..1455235 --- /dev/null +++ b/sentry-hdfs/pom.xml @@ -0,0 +1,38 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> +<project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd";> + + <modelVersion>4.0.0</modelVersion> + + <parent> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry</artifactId> + <version>1.5.0-incubating-SNAPSHOT</version> + </parent> + + <artifactId>sentry-hdfs</artifactId> + <name>Sentry HDFS</name> + <packaging>pom</packaging> + <modules> + <module>sentry-hdfs-common</module> + <module>sentry-hdfs-service</module> + <module>sentry-hdfs-namenode-plugin</module> + <module>sentry-hdfs-dist</module> + </modules> + +</project> http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/2e509e4b/sentry-hdfs/sentry-hdfs-common/.gitignore ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-common/.gitignore b/sentry-hdfs/sentry-hdfs-common/.gitignore new file mode 100644 index 0000000..91ad75b --- /dev/null +++ b/sentry-hdfs/sentry-hdfs-common/.gitignore @@ -0,0 +1,18 @@ +*.class +target/ +.classpath +.project +.settings +.metadata +.idea/ +*.iml +derby.log +datanucleus.log +sentry-core/sentry-core-common/src/gen +**/TempStatsStore/ +# Package Files # +*.jar +*.war +*.ear +test-output/ +maven-repo/ http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/2e509e4b/sentry-hdfs/sentry-hdfs-common/pom.xml ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-common/pom.xml b/sentry-hdfs/sentry-hdfs-common/pom.xml new file mode 100644 index 0000000..511bc53 --- /dev/null +++ b/sentry-hdfs/sentry-hdfs-common/pom.xml @@ -0,0 +1,148 @@ +<?xml version="1.0"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> +<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"; xmlns="http://maven.apache.org/POM/4.0.0"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>org.apache.sentry</groupId> + <artifactId>sentry-hdfs</artifactId> + <version>1.5.0-incubating-SNAPSHOT</version> + </parent> + + <artifactId>sentry-hdfs-common</artifactId> + <name>Sentry HDFS Common</name> + + <dependencies> + + <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-minicluster</artifactId> + <version>2.5.0</version> + <scope>provided</scope> + </dependency> + + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>com.google.guava</groupId> + <artifactId>guava</artifactId> + </dependency> + <dependency> + <groupId>org.apache.hive</groupId> + <artifactId>hive-metastore</artifactId> + <scope>provided</scope> + </dependency> + <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-common</artifactId> + <version>2.5.0</version> + <scope>provided</scope> + </dependency> + </dependencies> + <build> + <sourceDirectory>${basedir}/src/main/java</sourceDirectory> + <testSourceDirectory>${basedir}/src/test/java</testSourceDirectory> + <plugins> + <plugin> + <groupId>org.codehaus.mojo</groupId> + <artifactId>build-helper-maven-plugin</artifactId> + <executions> + <execution> + <id>add-source</id> + <phase>generate-sources</phase> + <goals> + <goal>add-source</goal> + </goals> + <configuration> + <sources> + <source>src/gen/thrift/gen-javabean</source> + </sources> + </configuration> + </execution> + </executions> + </plugin> + </plugins> + </build> + <profiles> + <profile> + <id>thriftif</id> + <build> + <plugins> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-antrun-plugin</artifactId> + <executions> + <execution> + <id>generate-thrift-sources</id> + <phase>generate-sources</phase> + <configuration> + <target> + <taskdef name="for" classname="net.sf.antcontrib.logic.ForTask" + classpathref="maven.plugin.classpath" /> + <property name="thrift.args" value="-I ${thrift.home} --gen java:beans,hashcode"/> + <property name="thrift.gen.dir" value="${basedir}/src/gen/thrift"/> + <delete dir="${thrift.gen.dir}"/> + <mkdir dir="${thrift.gen.dir}"/> + <for param="thrift.file"> + <path> + <fileset dir="${basedir}/src/main/resources/" includes="**/*.thrift" /> + </path> + <sequential> + <echo message="Generating Thrift code for @{thrift.file}"/> + <exec executable="${thrift.home}/bin/thrift" failonerror="true" dir="."> + <arg line="${thrift.args} -I ${basedir}/src/main/resources/ -o ${thrift.gen.dir} @{thrift.file} " /> + </exec> + </sequential> + </for> + </target> + </configuration> + <goals> + <goal>run</goal> + </goals> + </execution> + </executions> + </plugin> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-enforcer-plugin</artifactId> + <executions> + <execution> + <id>enforce-property</id> + <goals> + <goal>enforce</goal> + </goals> + <configuration> + <rules> + <requireProperty> + <property>thrift.home</property> + </requireProperty> + </rules> + <fail>true</fail> + </configuration> + </execution> + </executions> + </plugin> + </plugins> + </build> + </profile> + </profiles> + +</project>
